© 2014 IBM Corporation

3236: API First Mobile StrategyNitin Gaur, Senior MobileFirst Solution ArchitectOzair Sheikh, Product Manager – DataPower Gateway AppliancesMatt Kelm, Product Manager, API Management

Please Note

IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

Designing for a robust Digital Strategy?

• IT strategies treat technology in isolation.

• Silo’ed Approach — on a cloud strategy, social strategy, or mobile strategy.

• Meaningful solutions - seek pervasive digital connections in which the individual technologies (cloud, near field communications, mobile, big data, etc.)

• Aim - to deliver an experience that looks and feels an awful lot like our natural behavior.

• Rich Interactions - more connections between people, places, information, and things (aka digital density), the more customers can interact with companies and each other in a seamless and satisfying way.

• Is your Enterprise Design ready for This?

IT strategy does not equate to a digital strategy.

Why?

Why do YOU need a mobile application strategy aligned to API management?

Why API Management

• API Management provides companies with the tools for creating, proxying, assembling, securing, scaling and socializing web APIs.

Mobile Platform

• Cross-platform mobile application development, based on open standards

• Rich application functionality to access full device capabilities and facilitate key business capabilities such as secured data access, offline working, and geo-location services

• End to end integrated security lifecycle from device, over the wire, to the data centre with user, application and device authenticity testing

• Cross-platform automated functional testing

• Application center app store for application distribution to the enterprise and partners

Agenda

Explosion in Mobile Adoption

Drivers – API Economy

API First Mobile Strategy

Design for Digital Strategy

Mobile Adoption Continues to Explode

1 Trillion

Connected Devices

2013 2014 2015

5.6 Billion

Personal Devices Sold

41% CAGR Wearable Wireless Devices

Organizations must restlessly re-invent… … and customer experience must be personal and immediate

• Outpace existing – and emerging – competitors

• Deliver ever more engaging customer experience

• Continuously learn how to improve and anticipate shifts

• Re-invent and enhance experience

A new Mobile Era, We Have Moved From…

Reactive security

Rigid infrastructure to

Structured data to

Millions of PCs to billions of mobile devices

massive amounts of unstructured data

Intelligent, proactive protection

an elastic cloud infrastructure

Single transactions to personalized engagement

Static applications to dynamic compos-able services

So what is changing the Landscape?

New business models and paradigms

Drivers

Social Media goes mainstream• Everyone wants to be on

Facebook/linkedin etc

• Every solution is compared to scalability and availability like social networks

• Capitalize on ‘perceived’ new markets on social network.

Emerging Channels of commerce• New breed of personal

devices

• Speed of commerce

• Low tolerance for ‘slow’ experience

Proliferation of ‘smart’ phones - Mobility• Defining new engagement

Models

• Exponential growth of Mobile Devices

• New System of Engagements

• Emerging markets – New Platforms

Globalization!!• Single market for

everything

• Everything is linked

The Goal: Becoming a Composable Business• Dynamic, flexible, responsive, agile

• Built on blocks of capability that can be rapidly changed

• Driven by analytics of real-time data

The Business of APIs

Grow revenues…Grow revenues…Grow revenues…Grow revenues…

… … While reducing overheadWhile reducing overhead… … While reducing overheadWhile reducing overhead

“$7bn worth of items on eBay through APIs”Mark Carges (Ebay CTO)

The API which has easily 10 times more traffic then the website, has been really very important to us.” Biz Stone (Co-founder, Twitter)

“The adoption of Amazon’s Web services is currently driving more network activity then everything Amazon does through their traditional web sites.”Jeff Bar (Amazon evangelist) / Dion Hinchcliffe (Journalist)

stores (800) ###s web sites

Not having an API today is like not Not having an API today is like not having a website in the 1990s…having a website in the 1990s…Not having an API today is like not Not having an API today is like not having a website in the 1990s…having a website in the 1990s…

11

Business Design is an end-to-end Endeavor

12

What is a Business API? A Business API is a public persona for an enterprise; exposing defined assets,

data or services for public consumption A Business API is simple for app developers to use, access and understand A Business API can be easily invoked via a browser, mobile device, etc.

What Value Does a Business API Provide? Extends an enterprise and opens new markets by allowing external app

developers to easily leverage, publicize and/or aggregate a company’s assets for broad-based consumption

What “assets, data or services” are exposed via a Business API?: Product catalogs Store listings Order status Inventory Social interaction

Business API = Productized Service

App DeveloperApp Developer

13

Example: APIs creation extends services

14

“Better Bank’s” comprehensive API strategy reaches customers through new channels

External Developers

• Lending Rates API• Deposit Rates API

• Neighborhood Data API• Demographics API

Local Real Estate Aggregator App

Example: APIs consumption powers high-value applications

15

“Better Bank’s” comprehensive API improves employee productivity

Internal Developers• Customer Profile API• Risk Score API

• Valuation API• Property Details API• Mortgage API

Loan Origination / Processing Application

• Credit Pre-qualification API• Application Submission API

Mobile applications use APIs from developer portals

Explore API documentation

Interactively exercise APIs

Spectrum of mobile app development approaches

Web-native continuumWeb-native continuum

• HTML5, JS, and CSS3 (full site or m.site)

• Quicker and cheaper way to mobile

• Sub-optimal experience

• HTML5, JS, and CSS

• Usually leverages Cordova

• Downloadable, app store presence, push capabilities

• Can use native APIs

• As previous• + more

responsive, available offline

• Web + native code

• Optimized user experience with native screens, controls, and navigation

• App fully adjusted to OS

• Some screens are multi-platform when makes sense

• App fully adjusted to OS

• Best attainable user experience

• Unique development effort per OS, costly to maintain

Hybrid

Pure web Pure native

Mobile web site

(browser

access)

Mobile web site

(browser

access)

Native shell

enclosing

external m.site

Native shell

enclosing

external m.site

Pre-packag

ed HTML5

resources

Pre-packag

ed HTML5

resources

HTML5 +

native UI

HTML5 +

native UI

Mostly native, some

HTML5 screens

Mostly native, some

HTML5 screens

Pure nativePure

native

Connecting APIs to Mobile Devices (1 of 2)

API services based upon HTTP/REST/JSON provide lightweight, standard approach to integrate with backend services

Mobile application frameworks provide frameworks to invoke API services

• IOS: NSURLConnection

• Android: HttpURLConnection

• Javascript: dojo.xhr/jquery.ajax

API

API

API

Jane

SDKs

Connecting APIs to Mobile Devices (2 of 2)

Mobile applications invoke API services asynchronously

Mobile application frameworks provide ‘callbacks’ to trigger logic once a certain action is performed

• Does not block the user from performing other actions

Mobile applications must be design to handle cases where API services are slow to respond

• Multiple API calls may be triggered concurrently

What about security and integration?

Connecting Mobile applications to API services is easy with the right framework … but there are several other considerations

Security• How do I access a protected API service securely and manage

session information• How can I ensure an API service conforms to a “contract”

Integration• Mobile application logic requires transformation/filtering logic• Connect to non-HTTP protocols such as MQ securely

Cannot always trust your APIs!

API responses may not define an explicit schema• Developer portals provide sample responses but no “contract”

to guarantee structure and data types• Ensure responses do contain malicious data that allows

sensitive information to be comprimised

Mobile client authentication• Leverage external security service to authenticate and

authorize user credentials• Do no hardcode any security credentials

Trusting enterprise mobile application• Use Mobile device management solution (Worklight) to ensure

application is trusted when connecting to enterprise API services

Secure Mobile applications

DataPower deployed in the DMZ is the first level of security for access control, threat protection, and data validation

Increased awareness of mobile security• Mobile traffic enters corporate network through the DMZ from

the Internet• Security teams have less control over devices accessing the

corporate network

Security is about defense-in-depth• Several levels of defense required to provide a security

solution

Identity & AccessManagement

ThreatProtection

Data Security

Integration Mobile applications to existing infrastructure

Mobile applications still require access to existing enterprise services that are not based upon REST/JSON/HTTP standards

Avoid client-side ‘integration’ logic• Example: message transformation/filtering, non-HTTP

interaction, etc..

HTTP(s)

FTP(s)

SFTP

WebSphereMQ, MQ FTE

WebSphereJMS

DatabaseDB2, SQL Server, Oracle, Sybase,

TIBCO EMS

IMS NFS

Mobile security and integration gateway - Optimize and Control

Mobile gateway provides security and integration capabilities combined that optimize and control mobile traffic

Optimize – Decrease response time and intelligently distribute load?

• Intelligent load balance to Worklight server deployed on WebSphere Application Server ND

• Decreased response time provides better user experience and interaction with application conserving battery power and enabling data access in bandwidth sensitive locations

Shape mobile traffic based on service level agreements, and route based on message content

• Manage traffic from Mobile applications, providing different QoS to protect your services and applications from over-utilization and enforce quota

Control

Optimize

Mobile integration using IBM API Management

• DataPower is a component of the IBM Web API solution providing runtime access to Web API from Mobile applications

DataPower intelligently routes traffic to either the Worklight server or Web API service provider

IBM API Manager provides central point for exposing and documenting the available APIs

Analytics Module provides storage for system-wide API metrics

Web API Traffic (REST)JSON or XML / HTTP(s)

Mobile Consumer

IBM DataPower Gateway

DMZ Secure

Web API Service Provider

API DeveloperManagement Node Hypervisor

Security Gateway

Analytics Hypervisor

WL App

Analytics traffic

Web APIIBM API Manager

Questions?

Thank You

API Management Resources

Product Page• ibm.com/apimanagement

API developer community• developer.ibm.com/apimanagement

Twitter• @ibmapimgt

YouTube Channel• youtube.com/ibmapimanagement

Slideshare• slideshare.net/ibmapimgmt

Speaker Deck• speakerdeck.com/ibmapimgmt

28

Pitney Bowes, a global leader in software innovations, and mailing and shipping solutions, powers billions of transactions in modern commerce

“Pitney Bowes location-based services on IBM BlueMix will allow innovators and developers to seamlessly extend their products and services to the cloud and mobile devices.” -Roger Pilc, Chief Innovation Officer, Pitney Bowes ..

Codename: BlueMixDelivering a Composable Services development environment

Run Your AppsThe developer can chose any language runtime or bring their own. Just upload your code and go.

DevOpsDevelopment, monitoring, deployment and logging tools allow the developer to run the entire application

APIs and ServicesA catalog of open source, IBM and third party APIs services allow a developer to stitch together an application in minutes.

Cloud IntegrationBuild hybrid environments. Connect to on-premises systems of record plus other public and private clouds. Expose your own APIs to your developers.

Built on IBM SoftLayerRuns automatically on top of IBM’s leading infrastructure as a service. No need to worry about provisioning or managing infrastructure.

Api mgmt– Generic APIsApi mgmt– Generic APIs

WLApp-specific APIsWLApp-specific APIs

AdapterAdapter MgmtMgmt

BackendServiceBackendService

App1App1 App2App2 App nApp nPartnersPartners 3rd

Party3rd

Party

ADAD

Worklight server responsibility1.Security lifecycle

• App authentication• Multi-factor auth• Device SSO and secured access• Offline auth

2.Simplified data access API manages• Connectivity• Data transformation (REST)• Offline working with optional

synchronisation• Security integration• Mobile service layer owned and shaped

by app dev team3.Application management (does notrequire footprint on device)

• App Center application distribution• Direct app update• Remote app disable

4.Operational control• Application analytics• Consolidated logging

API mgmt responsibility (in mobile context)•Stable API layer – Governance owned by central architecture•Multi-channel access•Mediation to data sources•Security?

Architecture Option 1 – Use Worklight for app management and data access

Api mgmt– Generic and App-specific APIsApi mgmt– Generic and App-specific APIs WLWL MgmtMgmt

BackendServiceBackendService

App1App1 App2App2 App nApp nPartnersPartners 3rd

Party3rd

Party

ADAD

Worklight server responsibility1.Security lifecycle

• App authentication• Multi-factor auth• Device SSO and secured access• Offline auth

2.Simplified data access API manages• Connectivity• Data transformation (REST)• Offline working with optional

synchronisation• Security integration• Mobile service layer owned and shaped

by app dev team3.Application management does notrequire footprint on device

• App Center application distribution• Direct app update• Remote app disable

4.Operational control• Application analytics• Consolidated logging

API mgmt responsibility (in mobile context)1.Stable API layer and App-specific requirements2.Multi-channel access3.Mediation to data sources4.Secured data access

Architecture Option 2 – Use Worklight for app management

Architecture Option 1 – Use Worklight for app management and data access

ProsApiMgmt API layer can focus on

providing generic APIs with well-defined and stable lifecycle

WL developers can provide their own integration to meet their app-specific requirements and iterate as required for app improvements. All data requests still ultimately go through single API layer

WL infrastructure can manage full security lifecycle

Make full use of WL developer APIs for improved productivity

Option for app developer to make use of server-side processing

ConsExtra hop in network (can be

mitigated by reduced data and calls)WL is additional component that

needs to be sized and managed for throughput – option for managed service?

Architecture Option 2 – Use Worklight for app management

Pros

All data access goes directly through ApiMgmt API layer

Reduction in network hops

Cons

Developer needs bespoke app-side development to handle

• Integration with API mgmt security lifecycle

• Connectivity

• Any data transformation needed

If any app-specific APIs are being provisioned on ApiMgmt, needs to be done by different team and iterative development needs to match that of mobile application

Legal Disclaimer

• © IBM Corporation 2014. All Rights Reserved.• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained

in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM ’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

• If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

• If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

• Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server). Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.

• If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.

• If you reference Java™ in the text, please mark the first use and include the following; otherwise delete:Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

• If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete:Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

• If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

• If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete:UNIX is a registered trademark of The Open Group in the United States and other countries.

• If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.

• If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.